Creation of a Robust

Security
Infrastructure

Lecture Series by WRAP

1
WRAP 12 Principles
 Table of Contents
1. Session I: Introduction to Security

Infrastructure
• General Security Concerns
• Introduction of CTPAT Model
• Addressing Security Challenges

2. Session II: New and Focused Requirements

3. Session III: Effective Management System

4. WRAP Overview

5. Session IV: Questions

 General Security Concerns
• Security issue has become a major problem for every country.
• Tremendous changes to the world society
o Through technological advancement
o People travel across the globe
o Economic disparity
• Issues were exacerbated by
o Extreme perception of religious beliefs
o Transnational crimes like drug traffic
o Cyber security issues
o Women are most susceptible
• In a factory situation all the above issues were taken lightly by the
management
o Missing or Ineffective security Risk Assessment
o No focus on Business Partners’ Security
o No focus on Cyber Security
o No focus on Agriculture Security
o No emphasis on Procedural Approach
4 o Missing Best Practices
WALMART Acceptance to WRAP for Both
– Social and Security Audits

5
CBP Web Resouces
• MSC for Foreign Manufacturers
• https://www.cbp.gov/border-security/ports-entry/cargo-
security/ctpat/security-guidelines/foreign-manufacturers

• Five Step Risk Assessment Guide

• https://www.cbp.gov/sites/default/files/documents/C-
TPAT%27s%20Five%20Step%20Risk%20Assessment%20Process.pdf

• MRA
• https://www.cbp.gov/border-security/ports-entry/cargo-security/c-tpat-
customs-trade-partnership-against-terrorism/mutual-recognition

• Resource Library
• https://www.cbp.gov/border-security/ports-entry/cargo-
security/c-tpat-customs-trade-partnership-against-
terrorism/c-tpat-resource-library-and-job-aids
6
 CTPAT as a model

7
 CTPAT as a model to create Security
Infrastructure
• CTPAT is a common and effective systemic requirement
introduced by US Customs which is designed as a
deterrent, acting against terrorism related activities.
• We use this model to demonstrate implementing a
Robust Infrastructure with the objective of providing safe
and healthy work environment.
• Companies have to protect people and products
• Ensure confidentiality of information, financial records,
trade secrets and much more.

8
 Overview of Customs Trade Partnership
Against Terrorism
The people and physical security focus area encompass
well known criteria for securing facilities and training
personnel. The education of employees is a key
component of the criteria, and as such, training of
personnel on the importance of security is now a Program
requirement.
• Minimum Security Criteria (MSC)
• We will explain:
- Policies and Procedures
- Risk Assessment and Documentation
- Internal Monitoring
- Major Changes in this version
9
 Focus Areas and Criteria Categories
Focus Area ID Criteria Categories
1 Security Vision and Responsibility (New in 2019) 3 Focus
2 Risk Assessment Areas
Corporate Security
3 Business Partner Security 12 Security
4 Cybersecurity (New in 2019) Criteria
Categories
5 Conveyance and Instruments of International
Traffic Security
Transportation Security 6 Seal Security Each Criteria
7 Procedural Security has an ID
Number
8 Agricultural Security (New in 2019)
9 Physical Access Controls
People and Physical 10 Physical Security
Security 11 Personnel Security
12 Education, Training, and Awareness
10
 How to address security challenges
• Adopt a standard international practice that is globally
accepted.
• Understanding the requirements
• Involving people
• Developing objective based systems
• Regular monitoring
• Initiating improvement action plans
• Review of systems
11
 Session II:
New and Focused Requirements

12
 Focus Area: Corporate Security
Criteria Category: Security Vision &
Responsibility
• Involvement of Top Management

• Statement of Support

• Security Performance Indicators

• Cross Functional Team

• Defined roles and

responsibilities

• Documented system framework

13
1.1: Statement of Support
• CTPAT Members should demonstrate their commitment
to supply chain security and the CTPAT Program
through a statement of support, which should be signed
by a senior company official and displayed in
appropriate company locations.

• Implementation Guidance: Statement should highlight

the company's commitment to protecting the supply
chain from drug trafficking, terrorism, human smuggling
and illegal contraband. The statement might be
included on a website, posters in key areas, and in
security trainings and seminars.
1.2: Cross-Functional Team
• Company should incorporate representatives from all the relevant
departments into a cross-functional team. These updates should
be included in existing company procedures.

• Implementation Guidance: Many departments including Human

Resources, Information Technology, and Import/Export should be a
responsible for the development and execution of security
standards.
1.3: Documented System
• Company must have written procedures which details personnel
and their responsibilities. The document should be updated as
needed and based on your risk assessment.

• Implementation Guidance: The document should be periodically

reviewed based on the risk assessment. For members with high-
risk supply chains (determined by their risk assessment),
simulation or tabletop exercises may be included in the review
program.
1.4: Proactive Point of Contact
• The Company’s Point(s) of Contact (POC) to CTPAT must be
knowledgeable about CTPAT program requirements as well as all
updates to the program to upper management on issues related to
the program, including the progress or outcomes of any audits,
security related exercises, and CTPAT validations.

• Implementation Guidance: This individual should be proactive,

responsive who:
– Engages and is responsive to his or her Supply Chain Security Specialist.
– Identify additional individuals who may help support this function by listing
them as contacts in the CTPAT Portal.
Risk Assessment

18
 Focus Area: Corporate Security
Criteria Category: CTPAT Risk Assessment

19
Risk Assessment
• Full Risk Assessment including
threats and vulnerabilities from
both, within and outside of the
organization.
• Focus on its implementation and
effectiveness.
• Mapping of all security criteria to
the risk assessment.
• Periodic review of the risk
assessment.
• Preparing Security contingency plan

20
CTPAT Five-Step Risk Assessment
Step 1. Mapping Goods and Cargo and Identifying Business Partners

Step 2. Conducting a Threat Assessment: Identifying Threats to the Supply

Chain within the Country, Region, and/or City
– Terrorist Activity
– Drug Smuggling
– Corruption
– Human Trafficking

Step 3. Conducting a Vulnerability Assessment: Identifying Weaknesses in a

Company’s Procedures and Supply Chain

Step 4. Action Plan: Developed Once Threats and Weaknesses have been
Identified

Step 5. Documenting the Processes and Procedures on how Risk

Assessments Should be Conducted
2.2 Cargo Movement
• Risk Assessment should include documentation or mapping of the
movement of cargo including from the facility to cargo hubs.

• Implementation Guidance: High risk areas are the first to be

considered and all applicable involved parties – including those
who will only be handling the import/ export documents.
2.3 Periodic Review of RA
• Risk Assessment must be reviewed at least annually or more
frequently as dictated by the risk factors.

• Implementation Guidance: The risk assessment may require to be

reviewed more frequently than once a year if there is an increased
threat level from a specific country, following:
• Security breach or incident,
• Changes in business partners, and/or
• Changes in corporate structure/ ownership such as mergers and
acquisitions, etc.
2.4 Contingency Plans
• It is recommended that the risk assessment include written
procedures that address crisis management, business continuity,
security recovery plans and business resumption.

• Implementation Guidance: A crisis (strikes, floods, cyber attacks,

etc.) could disrupt business- both physical and cyber. Based on
risks, Company should include contingency plans.
 Business Partner Security
• Security related monitoring on all Business
Partners, based on the risk mapping.
• Focus on Money Laundering and Terror Funding.
• Focus on Social and Environmental Compliance.
- Be aware of Child Labor issues
- Environmental degradation and pollution
- Compliance to all legal requirements.
- ESG Compliance now a focus.
• Focus on Subcontracted Processes.
• Periodic Assessments and gradual improvement of
business partners in terms of security.
25
 Cyber Focus Area: Corporate Security
Criteria Category: Cybersecurity
• Cyber Security Policy and related
procedures.
• Use of updated cyber security systems –
firewalls, antivirus, etc.
• Use of Licensed software only.
• Periodic Inspection of IT Infrastructure.
• Addressing cyber security threats.
• Defined user rights and limitations in
software use.
• Data back-up policy.
• Disposal of IT waste

26
Focus Area: Corporate Security
4. Cybersecurity (NEW)

Cybersecurity is the key to safeguarding a company’s most precious assets –

intellectual property, customer information, financial and trade data and
employee records, etc. With increased connectivity to the internet comes the risk
of a breach of a company’s information systems. This threat pertains to
businesses of all types and sizes. Measures to secure a company’s information
technology (IT) and data are of paramount importance, and the listed criteria
provide a foundation for an overall cybersecurity program for members.
Definitions of Cybersecurity
Cybersecurity – Cybersecurity is the activity or process that focuses on protecting
computers, networks, programs, and data from unintended or unauthorized
access, change or destruction. It is the process of identifying, analyzing, assessing,
and communicating a cyber-related risk and accepting, avoiding, transferring, or
mitigating it to an acceptable level, considering costs and benefits taken.

Information Technology (IT) – Computers, storage, networking and other physical

devices, infrastructure and processes to create, process, store, secure, and
exchange all forms of electronic data.
4.1 Cybersecurity Policy
• There must be a proper written cybersecurity policies in place
safeguarding intellectual property, customer information, financial
and trade data and employee records.
• Common sense decisions should be based on industry standards
and recommendations/extended to Business Partners.

• Implementation Guidance: Your policies should follow recognized

industry standards of security and should complement Company’s
risk assessment.
4.2-4.3 Regular Updates
• In order to defend your IT system, you must have installed
updated protections against malware, spyware, worms, etc. based
on your risk assessment.

• Implementation Guidance: Confirm and document that the

security system is tested regularly and if vulnerabilities are found,
corrective actions are implemented in a timely manner.
4.4 Sharing Cyber Threat Information
• CTPAT members are expected to share with government
and business partners any cybersecurity threats.
• Implementation Guidance: Members are encouraged to
join the National Cybersecurity and Communications
Integration Center (NCCIC) which shares important
information for public and private sector partners.
4.5 Unauthorized Access of IT Systems

• A system must be in place to identify unauthorized use or abuse

of the IT system.

• Implementation Guidance: Written policy and procedure should be

kept up-to-date to reflect the system.
4.6 Periodic Review of Policies
and Procedures
• Cyber security policy and procedures must be reviewed annually
or as needed as risk and circumstances dictate. Internal
monitoring would include review of these policies and procedures.

• Implementation Guidance: Written policy and procedure should be

kept up-to-date to reflect the system
4.7 User Access
• User access should be based on job description or assigned duties.

• Implementation Guidance: Access to be reviewed periodically and

access should be removed or changed based on position changes
and employment status, such as resignation or retirement.
4.8-4.10 Protection from Infiltration
• 4.8: IT systems must use complex passwords, passphrases, or
other forms of authentication to protect against infiltration.
• 4.9: If using a remote connection, use a secured network like a
virtual private network (VPN).
• 4.10: If there is allowed use of personal devices, there must be
policy to support the use.

• Implementation Guidance:
– Authentication: 2FA or MFA Preferred
– Prefer use of long easy-to-remember passphrases instead of passwords.
– Require screening of new PWDS (commonly used/compromised PWDS).
4.11 Use of Licensed Software
• Policy should include measures to prevent use of unlicensed
software.

• Implementation Guidance: Computer software is intellectual

property (IP) owned by the entity that created it. Without the
permission of the manufacturer or software publisher, it is illegal
to install and use. Unlicensed software is more likely to fail as a
result of an inability to update.
4.12 Data Backup
• Data should be backed up once a week or as appropriate based on
your risk assessment. Sensitive information should be stored in
encrypted format, types include: cloud storage, hard disk drive or
removable storage media.

• Implementation Guidance: The 3-2-1 Rule

3 – Keep 3 copies of any important file: 1 primary
and 2 backups
2 – Keep the files on different media types
1 – Store 1 copy offsite
4.13 Inventory of Sensitive
Media Information
• Regular inventory must be kept of all media, hardware, or other IT
equipment that contains sensitive information regarding the
import/export process.
• Implementation Guidance: When disposed, records must be
properly cleaned and/or destroyed in accordance with the National
Institute of Standards and Technology (NIST) Guidelines for Media
Sanitization or other appropriate industry guidelines. Media
includes:
• Hard Drives
• CD-ROM/CD-R
• USB
• DVD
24/7 CCTV Surveillance
• Cameras must be positioned to cover key areas of facilities that
pertain to the import/export process.

• Implementation Guidance: Key sensitive areas may be monitored

via security cameras to record as much of the physical “chain of
custody” within the facility’s control as possible.
• Shipping/receiving
• Cargo loading and sealing process
• Conveyance arrival/exit
• IT servers;
• Container inspections (security and agricultural)
• Seal Storage

39
 Focus Area: Transportation Security
Criteria Category: Conveyance and IIT
Security

40
 What are IIT?
Instruments of International Traffic – Containers, flatbeds, unit load devices
(ULDs), lift vans, cargo vans, shipping tanks, bins, skids, pallets, caul boards,
cores for textile fabrics, or other specialized containers arriving (loaded or empty)
in use or to be used in the shipment of merchandise in international trade.

41
 Focus Area: Transportation Security
5. Conveyance and Instruments of International
Traffic Security (IIT)

“Smuggling schemes often involve the modification of conveyances

and Instruments of International Traffic (IIT), or the hiding of
contraband inside IIT. At the point of stuffing/loading, procedures
need to be in place to inspect IIT and properly seal them. Cargo in
transit or “at rest” is under less control, and is therefore more
vulnerable to infiltration, which is why seal controls and methods
to track cargo/conveyances in transit are key security criteria.
Breaches in supply chains occur most often during the
transportation process; therefore, Members must be vigilant that
these key cargo criteria be upheld throughout their supply chains.”
5.1 Storage of Containers
• Conveyances and Instruments of International Traffic (IIT),
commonly containers, must be stored to prevent unauthorized
access.

• Implementation Guidance: The secure storage of conveyances and

Instruments of International Traffic (both empty and full) is
important to guard against unauthorized access.
5.2 Written Procedures
for Inspection
• Company must have written procedures for security and
agricultural inspections.

• Implementation Guidance: In an effort to avoid smuggling

schemes, there must be procedure and policy that will enforce
inspections of conveyances. In addition, the prevention of pest
contamination is important.
5.3 Inspection of IIT including
Tractor and Trailers
• Prior to loading/stuffing/packing, all conveyances and empty
Instruments of International Traffic must undergo CTPAT
approved security and agricultural inspections to ensure their
structures haven’t been modified to conceal contraband or have
been contaminated with visible agricultural pests.

Tractors and trailers, specified by

CTPAT, is now a requirement
5.3 Inspection of Tractor Trailers
5.4 Inspection of Container

• Inspection of the door, handles, and locking mechanisms to

identify for any damage and to avoid tampering.

• The hinges of the door should be sealed. Even for smaller facilities,
a procedure should be established for transporting the goods from
the facility to the main container loading station.

• Records must be maintained

• Container Inspection Reports – signed and authorized

5.5 Inspection of
Container Checklist
• A checklist should be used for the inspection of all IITs. The
checklist should include:
1. Container/Trailer/Instruments of International Traffic number
2. Date of inspection
3. Time of inspection
4. Name of employee conducting the inspection
5. Specific areas of the Instruments of International Traffic that were
inspected.

• The completed inspection sheet should be signed by a

supervisor and included in the shipping document packet.
5.6 Monitoring the Inspection
of Container
• All security inspections should be monitored, and performed in a
CCTV covered area
5.7 Pest Contamination the
Inspection of Container
• If during an inspection, visible pest contamination is found in the
container, washing/vacuuming must be carried out to remove
contamination.

• Implementation Guidance: Maintain records of where the

contamination was found and how the contamination was
eliminated. Records must be retained for one year.
5.8 – 5.14 – 5.16 Random Inspections
& Tracking Shipments
• 5.8: Based on your risk assessment, random searches on
containers should be conducted. If possible, The inspections
should be unannounced and at random locations.

• Implementation Guidance: Supervisory searches of

conveyances are conducted to counter internal conspiracies.

• 5.14: Periodically check in with your shipping partners to track

your shipments from facility to the final destination.

• 5.16: Recommends a no-stop policy for shipments in-close

proximity to the US.
5.24 VVTT Container and
Trailer Inspection
• Inspection should include checking for signs of seal tampering. This
includes visual inspections and VVTT seal verification. Properly trained
individuals should conduct the inspections.

V View
V Verify
T Tug
T Twist

V – View seal and container locking mechanisms; ensure they are OK

V – Verify seal number against shipment documents for accuracy
T – Tug on seal to make sure it is affixed properly
T – Twist and turn the bolt seal to make sure its components do not
unscrew, separate from one another, or any part of the seal becomes loose
5.24 VVTT Container and
Trailer Inspection

View Verify Tug Twist

5.29 Addressing Discovered Threats

• If a credible (or detected) threat to the security of a shipment or

conveyance is discovered, the Member must alert (as soon as
feasibly possible) any business partners in the supply chain that
may be affected and any law enforcement agencies, as
appropriate.

• Implementation Guidance: Create a process and procedure on how

to address threats that are discovered.
Focus Area: Corporate Security
Criteria Category: Seal Security
Focus Area: Transportation Security
6. Seal Security

“The sealing of trailers and containers, to include continuous seal integrity, continues to be
a crucial element of the secure supply chain. Seal security includes having a
comprehensive written seal policy that addresses all aspects of seal security; using the
correct seals per CTPAT requirements; properly placing a seal on an IIT and verifying that
the seal has been affixed properly.”
6.1 Seal Security
Written Policy and Procedure
• Facility must have documented policies and procedures that describe how
seals are issued and controlled at the facility and if possible, during transit.

• The procedure should include appropriate steps and actions if tampering is

discovered. Written procedure should include (but not limited to):
• Controlling Access to Seals:
– Management of seals is restricted to authorized personnel.
– Secure storage.

• Inventory, Distribution, & Tracking (Seal Log):

– Recording the receipt of new seals.
– Issuance of seals recorded in log.
– Track seals via the log.
– Only trained, authorized personnel may affix seals to Instruments of International Traffic (IIT).
6.1 Seal Security Written
Policy and Procedure
• Controlling Seals in Transit
– When picking up sealed IIT (or after stopping) verify the seal is intact with no signs of
tampering.
– Confirm the seal number matches what is noted on the shipping documents.

• Seals Broken in Transit

– If load examined – record replacement seal number.
– The driver must immediately notify dispatch when a seal is broken, indicate who broke it and
provide the new seal number.
– The carrier must immediately notify the shipper, broker and importer of the seal change and
the replacement seal number.
– The shipper must note the replacement seal number of the seal log.

• Seal Discrepancies:
– Hold any seal discovered to be altered or tampered with the aid in the investigation.
– Investigate the discrepancy; follow-up with corrective measures (if warranted).
– As applicable, report compromised seals to CBP and the appropriate foreign government to aid
in the investigation.
6.2 Immediate Sealing of Shipments

• ALL CTPAT shipments that can be sealed must be sealed

immediately by the responsible party. This might be the
loading/stuffing/packing party and must be done with a high
security seal that meets or exceeds the most current International
Standardization Organization (ISO) 17712 standard for high security
seals. Qualifying cable and bolt seals are both acceptable.

• Implementation Guidance: The high security seal must be placed

on the Secure Cam position.
6.5 Document High Security Seals
• CTPAT Members must be able to document the high security seals
they use either meet or exceed the most current ISO 17712
standard.

• Implementation Guidance: Acceptable forms of compliance

include a copy of laboratory testing certificate that shows
compliance with ISO 17712 standards.
6.6 Auditing Inventory of Seals
• If a facility maintains seal inventory, they MUST conduct audits of
the seals. The audit will include periodic inventory of stored seals
and reconciliation against seal inventory and shipping documents.

• Implementation Guidance: Warehouse Supervisors and/or dock

Supervisors must periodically verify seal numbers on conveyances
and IIT.
• All audits must be documented.
6.7 VVTT Seal Verification
• Inspection should include checking for signs of seal tampering. This includes
visual inspections and VVTT seal verification. Properly trained individuals should
conduct the inspections.

V View
V Verify
T Tug
T Twist

V – View seal and container locking mechanisms; ensure they are OK;
V – Verify seal number against shipment documents for accuracy;
T – Tug on seal to make sure it is affixed properly;
T – Twist and turn the bolt seal to make sure its components do not unscrew,
separate from one another, or any part of the seal becomes loose.
 Conveyance and IIT Security
• Access controlled parking area of
Conveyances and IITs.
• Written procedures to carry out security
and agriculture inspection – before
loading, during and after loading.
• Loading must be under CCTV controlled
area.
• Random inspection of conveyance in
transit.

63
 What is Pest Contamination?
Visible forms of animals, insects or other invertebrates (alive or
dead, in any lifecycle stage, including egg casings or rafts), or any
organic material of animal origin (including blood, bones, hair,
flesh, secretions, excretions); viable or non-viable plants or plant
products (including fruit, seeds, leaves, twigs, roots, bark); or other
organic material, including fungi; or soil, or water; where such
products are not the manifested cargo within instruments of
international traffic (i.e. containers, unit load devices, etc.).

Visible = No specialized equipment needed for inspections

64
 Agricultural Security
• Washing or Vacuum Cleaning of conveyance in
case of any PEST contamination noted during
inspection.
• Written procedures designed to prevent visible
pest contamination to include compliance with
Wood Packaging Materials (WPM) regulations.
• WPM is defined as wood or wood products
(excluding paper products) used in supporting,
protecting, or carrying a commodity
65
 Session III:
Effective Management System

66
 What to do?
Develop a system framework -
System Documents Implementation Guide
Policies Procedures to implement policies

Risk Assessment Objectives/Performance Indicators

Work Instructions Records to demonstrate compliance

Periodic Monitoring Improvement Actions

Incident Root cause analysis and Corrective

Investigation Actions
67 Emergency Training and Drills
 Anonymous Grievance Mechanism
• An anonymous grievance mechanism should be in place for the
facility. When an allegation is received, it should be investigated,
and if applicable, corrective actions should be taken.

• Workers are more likely to report internal

problems such as theft, fraud, and internal
conspiracies if it is anonymous and they do
not have to fear reprisal.

• Anonymous grievance mechanisms might

include a hotline program or something
similar.

• It is recommended that any report and

68 corrective action be documented and kept
as evidence.
Education, Training & Awareness
• Identify needs for trainings.
• A common training for all is a wrong
approach.

• Trainings on
– Risk Assessment - Incident Investigation
– Cyber Security - Conveyance Inspection
– Seals Inspection - Agriculture Security Inspection
– Internal Monitoring - Business Partner Security
– Emergency Situations
– CCTV recording random inspection

• Effectiveness of Trainings
69
 Internal Management Systems
• Having a robust internal management system and
monitoring will help:
– Ensure that processes and procedures are
established.
– Test and verify that these processes and
procedures are effective.

• Risk Assessment
– Critical to have a solid RA process in place
integrated in your supply chain security program.
– Identify vulnerabilities and threats
– Mitigate current threat as needed
70
 Internal Management Systems
1. Regular Trainings for New and
Existing Staff

2. Periodic and Random Audits

3. Staying Informed on Local and

National Laws

4. Reviewing and Auditing Various

Business Partners

5. Proper Documentation of Results

and Corrective Action Plans

71
Certification Levels

Valid for 2 years

Valid for 1 year

Valid for 6 months

WRAP Trainings

Awareness Seminar 2-day Internal Auditor Training

C-TPAT for Foreign

Fire Safety Training Manufacturers
 Questions & Comments

78
 Thank You!
Neni Triani
Indonesia Representative
[email protected] / +62 813 1444 1619